• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

IPv6 glue test impossible with afraid.org domains?

Started by miloszgancarz, August 03, 2009, 12:52:39 PM

Previous topic - Next topic

miloszgancarz

I've come to the conclusion that since IPv6 glue requires the registrar to add AAAA records for NS record names on the TLD server(s), getting past the IPv6 Sage test with a domain hosted on afraid.org is impossible. 

Servers ns*.afraid.org don't have any AAAA records and therefore the guru test query will never succeed. 

Am I correct in this sum-up? 

I'm referencing this thread to support my conclusion.
http://www.tunnelbroker.net/forums/index.php?topic=274.msg1402#msg1402

As such, an IPv6 Sage certification requires purchasing one's own domain from a registrar that provides IPv6 glue, or working with an existing domain environment setup with IPv6. 


thanks

kriteknetworks

Or moving the domain to a registrar that supports IPv6 glue, you can find a list in the FAQ section of http://www.sixxs.net


snarked

The service at freedns.afraid.org is NOT a domain registration service.  It is DNS.  These are separate things.

You are correct that since the DNS servers at afraid.org don't have IPv6 addresses, they cannot be used with the test.  However, they will serve IPv6 glue records.  Your conclusion is correct but the logic you used to arrive at the conclusion is faulty.

yorick

Well, not quite. afraid.org cannot serve glue records, since it is not a registry. It can serve host records for name servers, yes. "A glue record is the IP address of a name server held at the domain name registry." See also http://faq.domainmonster.com/dns/glue_record/

More to the point, afraid.org can serve NS records, which lets you use your own out-of-bailiwick name server for one of the afraid.org subdomains. You can get through "Guru" with a combination of afraid.org, v6ns.org and a BIND server (or indeed powerdns) running on your local v6-enabled network.

To get "Sage", you need your own domain from a registrar that can set ipv6 glue with the registry. I used gkg - they support v6 glue right there in the web interface, which made it quite easy to set up. Alternatively, you can have someone who has their own domain with glue for their server set up a zone for you; that will work just as well.

This should also work if you started out with an afraid.org subdomain, by setting your new and shiny glue-enabled NS as an out-of-bailiwick NS on your afraid.org subdomain.

afaik, none of the free DNS services have ipv6-enabled name servers, never mind ipv6-enabled name servers with ipv6 glue. At least I was not able to find any. Hence the need to run your own server, or give a friend a beer and use his.


snarked

You forget about freedns.afraid.org's ability to register subzones under zones it already hosts.  Those may have glue records.

yorick

Quote from: snarked on August 07, 2009, 11:23:28 AM
You forget about freedns.afraid.org's ability to register subzones under zones it already hosts.  Those may have glue records.

You'd think so - but their glue is moot, unless you can use their name servers too. Which would bring us back to the "beer" scenario.

Take a look at a glue service set up specifically for the Guru test: ns0.nic.v6ns.org has glue; that doesn't mean that ns1.sub.v6ns.org has glue. I can say with utter conviction (because I tried it) that you do need glue on your own NS to pass Sage, not just on the NS for the domain hosting your subdomain. To re-state, that means an AAAA entry at the registry of the TLD of your NS's FQDN.

leenoux

you're right yorick,
unless afraid.org can serve NS records, which lets us use our own out-of-bailiwick name server(with ipv6 glue on tld registries) for one of the afraid.org subdomains.we cannot obtain sage using one of subdomain in afraid.org  :)

yorick

Quote from: leenoux on August 08, 2009, 03:56:36 AM
unless afraid.org can serve NS records, which lets us use our own out-of-bailiwick name server(with ipv6 glue on tld registries) for one of the afraid.org subdomains.

You are right, and they can. That's how I got sage without needing to reset the domain used for the tests. It doesn't buy you much - you still need an NS with glue that you control. It is a way to get to sage for the terminally stubborn - or you could mail ipv6@he.net, ask for a reset of your tests, and go with one of your own domains (with glue) from the very start.

I hate starting over, though. That's almost admitting defeat, that is.

snarked

The problem isn't that afraid.org can't serve IPv6 glue.  It can and does.
The problem is that afraid.org itself doesn't have IPv6 glue leading to its in-zone name servers.

Those are DIFFERENT issues.

yorick

Quote from: snarked on August 08, 2009, 04:35:55 PM
The problem isn't that afraid.org can't serve IPv6 glue.  It can and does.

It can't serve TLD glue records, which is what the Sage test looks for. I haven't found a way that it could serve more pedestrian non-TLD glue records, either, but that's neither here nor there for the sage test.

Put a more technical way: Say you have a .com domain at afraid.org - yorick.mooo.com, why not. And your nameserver is ns1.yorick.mooo.com. What the Sage test looks for is an answer to "dig ns1.yorick.mooo.com AAAA @a.gtld-servers.net", essentially - a AAAA record for your nameserver held at the registry for the TLD. That is TLD glue, and afraid.org certainly can't provide it. Not with AAAA nor with A.

A more "pedestrian" glue might be to set an NS record at afraid.org for yorick.mooo.com pointing to ns1.yorick.mooo.com, and then have an A (or AAAA) entry at the mooo.com level for ns1.yorick.mooo.com, so it can be found. I don't see a way to do that in afraid.org, either, but maybe I'm missing something in the web interface. Even if that is possible - and if so, I'd love to learn how it's done in their interface - that's still not TLD glue, and won't get you through Sage.

Whether afraid.org's servers are reachable over AAAA is rather beside the point. The glue has to be at TLD level for this test; the afraid.org name servers would never get involved in the query, anyway, if TLD glue could be provided.

To be fair, this is not afraid.org's fault in the least. I'm not even sure a subdomain service like this _can_ get TLD glue entered for all those subdomains. I can see the operators of the TLD registry objecting to such an idea.

The discussion really is only about "what is TLD glue", and "how do you get it", and possibly "and then how can you complete Sage on the afraid.org subdomain you started out with, once you have TLD glue" - not about "whose fault is this" (nobody's, truly) or "rabble rabble afraid.org should" (they should be given lots of beer for providing an awesome and free service).

dielaughing

This is one of those things that makes me angry because it wastes my time. IF IT IS IMPOSSIBLE TO USE AFRAID.ORG YOU NEED TO STATE THAT IN BIG FREAKING WORDS ON YOUR HOME PAGE! Otherwise you are real jerks wasting lots of people's time. Time to chalk he.net as another horribly stupid site with an eye bleeding design. Your language is vague, your directions are incomplete, and you are underhandedly biasing people against IPv6. TRY AND MAKE IT MORE DIFFICULT, WHY DON'T YOU. I mean, sheesh, life is hard enough without unnecessarily complicating things. EPIC FAILURE. >:(

broquea

#12
IPv6 Glue is submitted at the registrar level either by creating NS host records with IPv6 addresses or setting other NS authoritative with existing IPv6 Glue, for your domain. If your TLD doesn't support glue, you can use another NS in a different domain as 'out of bailiwick', as long as that NS you are using has had glue configured with their registrar.

Afraid.org isn't our responsibility or service, nor are we aware of how they've configured the availability of their services. I personally happen to have only known of their free reverse DNS for IPv6 allocations service, which is commendable and works quite well.

We've provided no walk-though on how to complete from Newbie through Sage, except for a handful of various software configuration examples, and a general idea on what each level tests for. There is no goal achieved in spoon-feeding answers. The better goal is to get people thinking and looking at their various services and learn how to get them up and running on IPv6. Answers can and will be found by researching online, as well as asking the community or even us directly.

I would say, in contrast to the comment about creating a bias against learning about IPv6, that the almost 7,000 users (as of this post) that have decided to try the free online certification program seem inclined to want to learn something more about IPv6.

leenoux

well, like old wise man said "no pain, no gain"  ;)
honestly, in my experiences with ipv6, he.net/tunnelbrokers.net do the excelent job/service for me.
their staffs are very responsive, eventhough this service is without SLA.

my knowledges is getting better and better dealing with ipv6 stuffs, configuring daemons(smtp,pop3,dns,http), routing  etc..

thanks to he.net and their staffs  :)

yorick

dielaughing: Really, now? When I started, I only had the vaguest idea what "glue" was. "Bailiwick" sounded like something out of a Dickensian novel. All that time-wasting and googling and head-scratching, getting to Guru only to be stuck at Sage again, pondering the relative merits of "feed a friend some beer and have him take care of it" vs. "get my own domain and really see what setting up glue looks like" - I had a blast!

So, yeah - if taking part in such a fun, hands-on learning exercise gets your blood roiling so badly, then it may be time to move on. Or, alternatively and preferably, you could step back a few steps, take a deep breath, and treat this as the excellent teaching tool it is. The clues on how to finish the test are so thick in this post, they may amount to violating HE's "no step-by-step walkthrough" rule.